EX NO:1

INSTALLING KALI LINUX ON VIRTUAL BOX

DATE:

Aim:
To install kali linux on virtual box.

Procedure:
Kali Linux is a Debian-derived Linux distribution designed for penetration testing.
With over 600 preinstalled penetration-testing programs, it earned a reputation as one of
the best-operating systems used for security testing. As a security-testing platform, it is
best to install Kali as a VM on VirtualBox.

Kali has a rolling release model, ensuring up-to-date tools on your system. Also, there
is an active community of users providing ongoing support.

This step by step tutorial shows you how to install Kali Linux on VirtualBox.

Software and Hardware Requirements:

i) 20 GB of disk space
ii) 1 GB of RAM (preferably 2) for i386 and amd64 architectures
iii) VirtualBox (or alternative virtualization software)

Installation procedure of Kali linux:

Step 1: Download Kali Linux ISO Image

Navigate to the Kali Linux Downloads page and find the packages available for
download. Depending on the system you have, download the 64-Bit or 32-Bit version.

Step 2: Create Kali Linux VirtualBox Container

After downloading the .iso image, create a new virtual machine and import Kali as its
OS.
1. Launch VirtualBox Manager and click the New icon

2. Name and operating system. A pop-up window for creating a new VM appears.
Specify a name and a destination folder. The Type and Version change automatically,
based on the name you provide. Make sure the information matches the package you
downloaded and click Next.
3. Memory size. Choose how much memory to allocate to the virtual machine and click Next.
The default setting for Linux is 1024 MB. However, this varies depending on your individual
needs.

4.Hard disk. The default option is to create a virtual hard disk for the new VM. Click Create
to continue. Alternatively, you can use an existing virtual hard disk file or decide not to add
one at all.

5. Hard disk file type. Stick to the default file type for the new virtual hard disk, VDI
(VirtualBox Disk Image). Click Next to continue.

6. Storage on a physical hard disk. Decide between Dynamically allocated and Fixed
size. The first choice allows the new hard disk to grow and fill up space dedicated to it.
The second, fixed size, uses the maximum capacity from the start. Click Next.

7. File location and size. Specify the name and where you want to store the virtual hard
disk. Choose the amount of file data the VM is allowed to store on the hard disk. We
advise giving it at least 8 gigabytes. Click Create to finish.

Now you created a new VM. The VM appears on the list in the VirtualBox Manager.
Step 3: Configure Virtual Machine Settings

1. Select a virtual machine and click the Settings icon. Make sure you marked the correct
VM and that the right-hand side is displaying details for Kali Linux.
2. In the Kali Linux – Settings window, navigate to General > Advanced tab. Change the
Shared Clipboard and Drag’n’Drop settings to Bidirectional. This feature allows
you to copy and paste between the host and guest machine.

Go to System > Motherboard. Set the boot order to start from Optical, followed by
Hard Disk. Uncheck Floppy as it is unnecessary.

3. Next, move to the Processor tab in the same window. Increase the number of
processors to two (2) to enhance performance.

4. Finally, navigate to Storage settings. Add the downloaded Kali image to a storag
device under Controller: IDE. Click the disk icon to search for the image. Once
finished, close the Settings window.
Step 4: Installing and Setting Up Kali Linux

After you booted the installation menu by clicking Start, a new VM VirtualBox window
appears with the Kali welcome screen.

Select the Graphical install option and go through the following installation steps for
setting up Kali Linux in VirtualBox.

1. Select a language. Choose the default language for the system (which will also be the
language used during the installation process).

2. Select your location. Find and select your country from the list (or choose “other”).

3. Configure the keyboard. Decide which keymap to use. In most cases, the best option is
to select American English.

4. Configure the network. First, enter a hostname for the system and click Continue.

5. Next, create a domain name (the part of your internet address after your hostname).
Domain names usually end in .com, .net, .edu, etc. Make sure you use the same domain
name on all your machines.

6. Set up users and passwords. Create a strong root password for the system
administrator account.
7. Configure the clock. Select your time zone from the available options.

8. Partition disks. Select how you would like to partition the hard disk. Unless you have a
good reason to do it manually, go for the Guided –use entire disk option.

9. Then, select which disk you want to use for partitioning. As you created a single
virtual hard disk in Step 3: Adjust VM Settings, you do not have to worry about data loss.
Select the only available option – SCSI3 (0,0,0) (sda) – 68.7 GB ATA VBOK
HARDDISK (the details after the dash vary depending on your virtualization software).

10. Next, select the scheme for partitioning. If you are a new user, go for All files in one
partition.

11. The wizard gives you an overview of the configured partitions. Continue by
navigating to Finish partitioning and write changes to disk. Click Continue and confirm
with Yes.

12. The wizard starts installing Kali. While the installation bar loads, additional
configuration settings appear.

13. Configure the package manager. Select whether you want to use a network mirror
and click Continue. Enter the HTTP proxy information if you are using one. Otherwise,
leave the field blank and click Continue again.

14. Install the GRUB boot loader on a hard disk. Select Yes and Continue. Then, select a
boot loader device to ensure the newly installed system is bootabl

15. . Once you receive the message Installation is complete, click Continue to reboot
your VM.

16. With this, you have successfully installed Kali Linux on VirtualBox. After rebooting,
the Kali login screen appears. Type in a username (root) and password you entered in the
previous steps.

17. Finally, the interface of Kali Linux appears on your screen.

Result:
Thus the installation of Kali Linux on virtual box has been installed successfully.
EX NO:2
EXPLORE KALI LINUX AND BASH SCRIPTING
DATE:

Aim:
To explore kali linux and bash scripting.

Procedure:
A Bash script is a plain-text file that contains a series of commands that are
executed as if they had been typed on terminal window. In general, Bash scripts have an
optional extension of .sh for identification (but it can be run without extension name),
begin wit #!/bin/bash and must have executable permission set before the script can be
executed. Let's write a simple "Hello World" Bash script on a new file using any text
editor, named it hello-world.sh and write the following contains inside it:

we need to make this script executable by running following command:

chmod +x hello-world.sh

In the following screenshot we can see the output of the above command:

Now we can run the script by using following command:

bash hello-world.sh

We can see that our script shows output of "Hello World!" on our terminal as we can see
in the following screenshot:

The chmod command, with +x flag is used to make the bash script executable and bash
along with scriptname.sh we can run it. We can ./scriptname.sh to run the script. This
was our first Bash script. Let's explore Bash in a bit more detail.

We can declare variable values in various ways. The easiest method is to set the value
directly with a simple name=value declaration. We should remember that there are no
spaces between or after the "=" sign.

On our terminal we can run following command:

name=Kali

Then we again run another command:

surname=Linux

Variable declaring is pointless unless we can use/reference it. To do this, we precede the
variable with $ character. Whenever Bash see this ($) syntax in a command, it replaces
the variable name with it's value before executing the command. For an example we can
echo both this variable by using following command:

echo $name $surname

In the following screenshot we can the output shows the values of the variables:

Bash scripts are not different, we can supply command-line arguments and use them in
our scripts. For an example we can see following screenshot:

Result
Thus the Kali Linux and Bash Scripting has been Explored successfully.
EX NO:3
PERFORM OPEN SOURCE INTELLIGENCE GATHERING
DATE:

Aim:
To perform open source intelligence gathering.

Procedure:
NETCRAFT:

We will learn how to get information about the technologies which is used by the
target websites. To do this, we are going to use a website called as Netcraft
(https://www.netcraft.com), and then we will put the target address, and select our target
as isecur1ty.org, and click on the arrow as shown in the following screenshot:

After this, click on Site Report as shown in the following screenshot:

In the given screenshot, we can see some basic information like Site title, Site
rank, Description, Keywords, and when the website was created:

In the preceding screenshot, we can see that it is hosted in UK, we can also see the
Nameserver, which is ns1.digitalocean.com, and again, if we just go to
ns1.digitalocean.com, we will discover that this is a website for web hosting.

Now, we know that this is a web hosting company, and in worst-case scenarios, we can
use this or try to hack into ns1.digitalocean.com itself to gain access to isecur1ty.

If we further scroll down, we will see the Hosting History of the hosting companies that
isecur1ty used. We can see that the latest one is running on Linux with Apache, the same
server that we saw in the previous section, 2.2.31 with Unix mod_ssl and all the other
add-ons

MALTEGO:
Maltego is an Information gathering tool inbuilt in Kali Linux by default and can
be used for determining therelationships and real-world links between:
Run Maltego in Kali Linux:
As you know Maltego is available in Kali Linux by default. So you can run by
going Application > Information Gathering > Maltego
$maltego &

The welcome screen will be appear

 When you log in successfully on Maltego Server, you will Select transform Seeds
and install. After completing the transform installation you are ready to run a new
Machine for gathering information.

A)Select Run new Machine and click finish.

B)New wizard will be popup you can run the machine by a current wizard or cancel
this wizard and run by the Maltego program. If you want to run Machine with this
wizard then select Machine type and click Next
C)If you select company stalker then you will have to specify the target (domain
name) in the new window, Provide the domain (target) and click Finish.

After running Stalker successfully you will get result like following
Run another transform and get detail of name servers, mail servers, IP addresses, and
much more.

Result Here

WHOIS LOOKUP:

This package provides a commandline client for the WHOIS (RFC 3912) protocol,
which queries online servers for information such as contact details for domains and IP
address assignments. It can intelligently select the appropriate WHOIS server for most
queries.

The package also contains mkpasswd, a features-rich front end to the password
encryption function crypt(3).

Installed size: 386 KB

How to install: sudo apt install whois

To get the information about specific IP Address issue the command as shown in the
below example.
$ whois google.com
Domain Name: GOOGLE.COM
Registry Domain ID: 2138514_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2011-07-20T16:55:31Z
Creation Date: 1997-09-15T04:00:00Z
Registry Expiry Date: 2020-09-14T04:00:00Z
Registrar: MarkMonitor Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.GOOGLE.COM
Name Server: NS2.GOOGLE.COM
Name Server: NS3.GOOGLE.COM
Name Server: NS4.GOOGLE.COM
....

Result:
Thus the open source intelligence gathering has been executed successfully.
EX NO:4
UNDERSTAND THE NMAP COMMAND AND SCAN A TARGET
DATE: USING NMAP

Aim:
To understand the nmap command and scan a target using nmap.
Procedure:
Nmap is a network scanning tool that uses IP packets to identify all the devices
connected to a network and to provide information on the services and operating systems
they are runni
Most of the common functions of Nmap can be executed using a single command,
and the program also uses a number of ‘shortcut’ commands that can be used to automate
common tasks.

1. Ping Scanning

As mentioned above, a ping scan returns information on every active IP on your

network. You can execute a ping scan using this command:
# nmap -sp 192.100.1.1/24

2. Port Scanning

3.Host Scanning

Host scanning returns more detailed information on a particular host or a range of

IP addresses. As mentioned above, you can perform a host scan using the following
command:
# nmap -sp <target IP range>

4.OS Scanning

scanning is one of the most powerful features of Nmap. When using this type of
scan, Nmap sends TCP and UDP packets to a particular port, and then analyze its
response. It compares this response to a database of 2600 operating systems, and return
information on the OS (and version) of a host.
To run an OS scan, use the following command:
# nmap -O <target IP>

5. Scan The Most Popular Ports

Result:
Thus the understanding of nmap and scan a target using nmap has been executed
successfully.
EX NO:5
INSTALLATION OF METASPLOITABLE IN VIRTUALBOX
DATE: AND SEARCH FOR UNPATCHED VULNERABILITIES

Aim:
To install of metasploitable in virtualbox and search for unpatched vulnerabilities.

Procedure:
Metasploitable is, it is a testing environment that is very useful for beginner who
wants to practice and test their penetration testing skills and security research. It is a
target machine that is used to discover and penetrate vulnerabilities so that the user gets
an idea of real-life targets and machines.

Installation

Step 1: Download the Metasploitable 2 file.

Step 2: The file initially will be in zip format so we need to extract it, after extracting the
file open VirtualBox.

Step 3: Now as shown in the above image click on the new option in the Virtual box.
Step 4: Select the RAM you want to provide to the virtual machine. recommended
(512Mb).

Step 5: Now choose the option to use an existing virtual hard disk file

Step 6: Now save the file and you will see that the instance is created with the name you
have given.

Step 7. once the instance is loaded you will be asked to provide a login name and
password.

Demo of penetration testing with Metasploitable 2:

Step1: Open your both machines Metasploitable 2 and kali Linux side by side.
First, we need to run both instances at the same time side by side so that we will be
able to see the changes clearly. launch Vbox and start both Linux and Metasploitable 2
side by side.

Step2:Let’s check the IP addresses of both machines to get an overview of the target
machine.
msfadmin@metasploitable:~$ ifconfig
Step 3: Now we will be performing a network scan with the help of the Nmap tool to see
what services are running on target and which are way into the target.

Now the first step is to look for loops and vulnerabilities so that we can exploit
the machine, to do so we will use Nmap scan on a Linuxterminal. use command:

root-user-#/ $ nmap -sV -O 192.168.10.5

Step 4: Now that we have all the info related to the exploit that we need to use i.e.
vsftpd_backdoor so now we can use Metasploit to exploit the machine and get access to
the command shell. which will eventually give us access to the target machine.
 root-user-#/ $ msfconsole
Step 5: Now all we need to do is deploy the exploit into the target machine with the
help of msfconsole, to do so we need to follow some basic steps that are:
msf6~/ use exploit/unix/ftp/vsftpd_234_backdoor
after selecting the above exploit let’s set up the target to which we are deploying the
exploit.

msf6~/ (unix/ftp/vsftpd_234_backdoor): show options

now we can see that we have the option to set RHOST which is the receiver host. so
we will set it to the IP address of the target machine.

msf6~/ (unix/ftp/vsftpd_234_backdoor): set RHOST 192.168.10.5

Step 6: The final step is to run the exploit, by command exploit.

msf6~/ (unix/ftp/vsftpd_234_backdoor): exploit

after setting RHOST just enter the exploit command and you will see the command shell
of the target machine is obtained.
Step 7: Verify by using some command shell commands like print the working directory
or ls items in a folder.

pwd, ls -l, ls -a etc

so we have successfully taken look into how Metasploitable is useful for practicing
penetration testing skills.
we can see that both sides of the files are the same and we have root access to the
machine.

Result:
Thus the installation of metasploitable and searching for unpatched vulnerabilities
has been executed successfully.
EX NO:6
USE METASPLOIT TO EXPLOIT AN UNPATCHED
DATE: VULNERABILITY

Aim:
To exploit an unpatched vulnerability using Metasploit.

Metasploit - Exploit
After vulnerability scanning and vulnerability validation, we have to run and test
some scripts (called exploits) in order to gain access to a machine and do what we are
planning to do.

Exploit using Command Prompt:

From the Vulnerability Scanner, we found that the Linux machine that we have
for test is vulnerable to FTP service. Now we will use an exploit that can work for us.
The command is

msf > use “exploit path”

msf > show options

This exploit
shows that we
have to set
RHOST
“target IP”
msf > set
RHOST

192.168.1.101
msf > set RPORT 21
msf > run
If the exploit is successful, then we will see one session opened, as shown in the
following screenshot.

Now, we can interact with this system.

Result:
Thus the exploitation of an unpatched vulnerability using Metasploit has been
executed successfully.
EX NO:7
INSTALLING LINUX SERVER ON THE VIRTUAL BOX AND
DATE: INSTALL SSH

Aim:
To install a Linux Server on the virtual box and installing SSH.

Procedure:

Step 1: Install VirtualBox on your server host

To install VirtualBox, just visit virtualbox.org, click the download link, and
launch the executable. When you first start VirtualBox, it should automatically offer to
download its Extensions Pack — do this, and install it.

Step 2: Download Ubuntu Desktop

Download a copy of Ubuntu Server 18.04.5 LTS, which is a recent version of

Ubuntu Server supported by Mirantis for all of its products.

Step 3: Create and configure a new VirtualBox virtual machine

Start VirtualBox, and click on the top menu: Machine>New (or press CTRL-N).

Select Linux and Ubuntu (64-bit) from the popdowns. Give your machine a generic name
that identifies it by operating system and version. You’ll use this initial VM image to
create new VMs as you need them (a process called “cloning”).
On the next screen, select the radio button to create a virtual hard disk file.

And select the radio button to use VDI format for the virtual disk.
 Finally, pick the size of your virtual hard disk. 10GB — the default — is sufficient
for most projects. Kubernetes nodes may require 25GB or more.

Next, click to highlight your new VM in the left-hand menu and select
Settings>System>Processor. A typical server VM will profit by being given two or more
virtual CPUs (vCPUs). A Kubernetes node can use more, if your physical CPU has
sufficient cores available.
Step 4: Install Ubuntu Server
Ubuntu Server usually installs without a hiccup. Your VM will automatically restart when
installation is complete. You’ll be prompted to remove the boot disk (the CD ROM in this
case), but you can just press any key to pass this prompt. Log in with your username and
password.

Step 5: Update your server

Unless updates were applied during installation, next step is to update your server with
recent patches and software improvements.

sudo apt-get update

sudo apt-get upgrade
Step 6: Passwordless sudo

By default, Ubuntu Server sets up to insist that you enter a password before
executing commands in sudo mode. This can be annoying. If you’d like to enter sudo
without being asked for a password, here’s how to fix it. Note: on some cloud platforms,
like Amazon Web Services EC2, Ubuntu is preconfigured with passwordless sudo for the
administrative user by default.
sudo visudo
$USER ALL=(ALL) NOPASSWD: ALL

Step 7: Fix vi
 The vi editor is a very crude line editor that’s often used to make changes in
configuration files. The benefit of vi is that it’s preinstalled on pretty-much any Linux
server, so it’s always available. The nano editor — a little bit less crude — is usually also
preinstalled for making quick file changes.

sudo vi /etc/hosts
Step 8: Enable SSH

You’ll need OpenSSH server active in order to be able to log into your server remotely.
Various deployer software (e.g., Mirantis Launchpad) also requires SSH to connect with
and install software on servers.

ip addr
Then start OpenSSH server:
sudo systemctl start ssh

On new Ubuntu Server installs, the ssh service normally enables itself at installation, so if
you restart this VM, ssh accessibility will come back.
At this point, you can try logging into the server from your host or workstation VM:
ssh <username>@<ip_of_server>
You’ll need to provide your password.
Step 9: Upload a public key to your server for passwordless SSH
This is easy to set up. Our tutorial How to Generate an SSH Keypair shows you how, and
how to upload the public key to your server. Once you’ve done this, you should be able to
log into your server from your desktop using your private key, which is stored in
/home/user/.ssh, as follows, where id_rsa is the name of the private key file:
ssh -i /home/user/.ssh/id_rsa <username>@<ip_of_server>

Step 10: Snapshot and clone your server VM

At this point, it makes sense to ensure that you can always return your VM to its current
known good state. To do this, first power down the VM (don’t restart), whose
VirtualBox window will close. Then select the VM in the left-hand menu, and click the
green plus sign (+, also marked “Take”) in the upper bar.

Step 11: Adjust VM hostnames

This is pretty simple. Three tasks are required to change the hostname of an Ubuntu server:
First, edit the file /etc@sol;hosts using sudo vi.
sudo vi /etc/hosts
Change the hostname as represented in the second line of this file.
127.0.1.1 old_hostname # change 'old_hostname' to the new hostname

Save the file (exit vi with ESC, followed by :wq — colon, ‘w’, ‘q’). Then edit the file
/etc/hostname the same way:
sudo vi /etc/hostname
and change the old hostname to the new hostname, there, saving the file once you’ve done
so.
Finally, either issue a hostname command to update the hostname within the current shell
session:
sudo hostname my_new_hostname
or simply log out and back in.
Result:
Thus then installation of linux server on virtual box and installation SSH has been
installed Successfully.
EX NO:8
USE FAIL2BAN TO SCAN LOG FILES AND BAN IPS THAT
DATE: SHOW THE MALICIOUS SIGNS

Aim:
To scan log files and ban ips that show the malicious signs by using fail2ban.

Procedure:
The purpose of Fail2ban is to monitor the logs of common services to spot patterns in
authentication failures.

When fail2ban is configured to monitor the logs of a service, it looks at a filter that
has been configured specific to that service. The filter is designed to identify
authentication failures for that specific service through the use of complex regular
expressions. Regular expressions are a common templating language used for pattern
matching. It defines these regular expression patterns into an internal variable called
failregex.

Exploring Fail2ban Service Settings:

Fail2ban is configured through several files located within a hierarchy under the
/etc/fail2ban/ directory.

The fail2ban.conf file configures some operational settings like the way the daemon
logs info, and the socket and pid file it will use. The main configuration, however, is
specified in the files that define the per-application “jails”.

By default, fail2ban ships with a jail.conf file. However, this can be overwritten in
updates, so you should copy this file to a jail.local file and make adjustments there.

sudo nano /etc/fail2ban/jail.local

If you don’t have a jail.local file already, or the file you opened was blank, copy
over the jail.conf file and then open the new file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

sudo nano /etc/fail2ban/jail.local

The Default Section:

The first portion of the file will define the defaults for fail2ban policy. These
options can be overridden in each individual service’s configuration section.

With the comments removed, the entirety of the default section looks something like this:
Service Specific Sections:

Beneath the default section, there are sections for specific services that can be used to
override the default settings. This follows a convention of only modifying the parameters
that differ from the normal values (convention over configuration).

Each section header is specified like this:

[service_name]

Any section that has the line enabled = true will be read and enabled.

Within each section, the parameters are configured, including the filter file that
should be used to parse the logs (minus the file extension) and the location of the log
files themselves.

Keeping this in mind, the section that specifies the actions for the SSH service looks like
this:

All of the other pieces of information that it needs are taken from the parameters
defined in the [DEFAULT] section. For instance, the action will be set to action_ which
will ban the offending IP address using the iptables-multiport banaction, which
references a file called iptables-multiport.conf found in /etc/fail2ban/action.d.
As you can see, the actions in the [DEFAULT] section should be general and flexible.
Using parameter substitution along with parameters that provide sensible defaults will
make it possible to override definitions when necessary.

Examining the Filter File:

The filter file will determine the lines that fail2ban will look for in the log files to
identify offending characteristics. The action file implements all of the actions required,
from building up a firewall structure when the service starts, to adding and deleting rules,
and tearing down the firewall structure when the service stops.

Let’s look at the filter file that our SSH service called for in the configuration above:

The [INCLUDES] section header specifies other filter files that are read in
before or after this file. In our example, the common.conf file is read in and placed
before the other lines in this file. This sets up some parameters that we will be using in
our configuration.

Next, we have a [Definition] section that defines the actual rules for our filter
matches. First, we set the name of the daemon we are monitoring by using the _daemon
parameter.

After that, we go through the actual failregex definition, which sets the patterns
that will trigger when a matching line in the log file is found. These are regular
expressions that match based on the different errors and failures that can be thrown when
a user does not authenticate correctly.

Portions of the line like %(__prefix_line)s will be substituted with the value of a
parameter setup in the common.conf file that we sourced. This is used to match the
different leading information that operating systems write to log files when they use
standard methods. For instance, some lines from the /var/log/auth.log might look
something like this:
Examining the Action File:

This file is responsible for setting up the firewall with a structure that allows
modifications for banning malicious hosts, and for adding and removing those hosts as
necessary.

The action that our SSH service invokes is called iptables-multiport. Open the
associated file now:

sudo nano /etc/fail2ban/action.d/iptables-multiport.conf

How the Fail2ban Service Processes Configuration Files to Implement Bans:

Loading the Initial Configuration Files:
First, the main fail2ban.conf file is read to determine the conditions that the main process
should operate under. It creates the socket, pid, and log files if necessary and begins to
use them.
Next, fail2ban reads the jail.conf file for configuration details. It follows this by reading,
in alphabetical order, any files found in the jail.d directory that end in .conf. It adds the
settings found in these files to its internal configuration, giving new values preference
over the values described in the jail.conf file.
It then searches for a jail.local file and repeats this process, adapting the new values.
Finally, it searches the jail.d directory again, reading in alphabetical order files ending
in .local.
In our case, we only have a jail.conf file and a jail.local file. In our jail.local file, we only
need to define the values that differ from the jail.conf file. The fail2ban process now has
a set of directives loaded into memory that represent a combination of all of the files that
it found.

It examines each section and searches for an enabled = true directive. If it finds one, it
uses the parameters defined under that section to build a policy and decide what actions
are required. Any parameters that are not found in the service’s section use the
parameters defined in the [DEFAULT] section.

Parsing the Action Files to Determine Starting Actions:

Fail2ban looks for an action directive to figure out what action script to call to
implement the banning/unbanning policies. If one is not found, it falls back on the
default action determined above.

The action directive consists of the name of the action file(s) that will be read, as well as
a key-value dictionary that passes the parameters needed by those files. The values of
these often take the form of parameter substitutions by referencing the settings
configured in the service’s section. The “name” key is usually passed the value of the
special __name__ variable that will be set to the value of the section’s header.

Fail2ban then uses this information to find the associated files in the action.d directory. It
first looks for the associated action file ending in .conf and then amends the information
found there with any settings contained in an accompanying .local file also found in the
action.d directory.

Parsing the Filter Files to Determine Filtering Rules:

The parameters for the service in the jail.* files also include the location of the log file as
well as the polling mechanism that should be used to check the file (this is defined by the
backend parameter). It also includes a filter that should be used to determine whether a
line in the log represents a failure.

Fail2ban looks in the filter.d directory to find the matching filter file that ends with .conf.
It reads this file to define the patterns that can be used to match offending lines. It then
searches for a matching filter file ending with .local to see if any of the default
parameters were overwritten.

It uses the regular expressions defined in these files as it reads the service’s log file. It
tries each failregex line defined in the filter.d files against every new line written to the
service’s log file.

If the regular expression returns a match, it checks the line against the regular
expressions defined by the ignoreregex. If this also matches, fail2ban ignores it. If the
line matches an expression in the failregex but does not match an expression in the
ignoreregex, an internal counter is incremented for the client that caused the line and an
associated timestamp is created for the event.
As the window of time set by the findtime parameter in the jail.* files is reached (as
determined by the event timestamp), the internal counter is decremented again and the
event is no longer considered relevant to the banning policy.

Result:
Thus the scanning log files and ban ips that show the malicious signs by using
fail2ban has been executed successfully.
EX NO:9
LAUNCH BRUTE-FORCE ATTACKS ON THE LINUX SERVER USING
DATE: HYDRA

Aim:
To launch brute-force attacks on the linux server using Hydra.

Procedure:
Hydra is a fast and flexible login cracker which can be used on both Linux and
Windows, and supports protocols like AFP, HTTP-FORM-GET, HTTP-GET, HTTP-
FORM-POST, HTTP-HEAD, HTTP-PROXY, and many more.

Hydra is installed by default on Kali Linux. There are both command line and
graphical versions of Hydra, but real developers use command line.

Launching a Brute Force Attack with Hydra:

The best way to explain how Hydra functions is to walk through a scenario, so I’m going
to set the scene for you. Our reconnaissance has discovered some information about users
and systems on a network. We know there is a CentOS 7 system named Mangia with an
IP address of 192.168.122.167. We also know that a user named John frequently uses this
machine. Armed with this information, we will attempt a brute force attack on the
discovered system. We will be utilizing Hydra to perform a hybrid brute force dictionary
attack on the Mangia system, but first, we need a dictionary.

Penetration testing distributions like Kali Linux often come with a collection of word
lists or dictionaries containing common passwords. There are also many additional
password dictionaries available to download from online resources. In this example, we
will be using the information we already have about the system to build our own word list.

Since Mangia (Italian for eat) is the name of the system, we will use a list of Italian foods.
Using the cat command we can view the list we have assembled.

We will also create a list of usernames for the system to try and store them in the
usernames.txt file.
Here we will be passing a few options to Hydra. The first option is -V for verbose output.
Then -L followed by the file containing the usernames we want to try. The -P option tells
Hydra to use words from the following text file. The -t 1 option allows only one task to
run at a time to avoid security features that may shut down a high volume of attempts.
The last option, -f tells Hydra to stop when a successful username and password
combination is found.

Manipulating Word Lists with RSMangle:

RSMangler takes a word list and performs various manipulations on them. It has
options for just about any password combinations you can think of. RSMangler can
reverse, permutate, double, change case, add the year, add numbers, add punctuation and
much more. Be careful though, by default ALL options are on, which can generate a
huge dictionary file. For this brute force attack demonstration we will only be selecting a
few options.

Here are are invoking the rsmangler script and using the --file option to specify the
input file, and redirecting it's output to a new file. The rest of the options are as follows:

-m 5 Minimum word length of 5 characters

-x 15 Maximum word length of 15 characters
-u Uppercase the word
-l Lowercase the word
-d Double Each word (i.e. pizzapizza)
-p Permutate all the words
-t L33t speak the words (i.e. p1224)
-y Add all years from 1990 to current year to start and end of words
 Using the Mangled Word List with Hydra:

Now that we have a more robust password dictionary we can launch another brute
force attack attempt to crack the password. This time we will pass the new mangled
password list to Hydra and hope we get a hit.

NOTE: This can take some time, even with the limited credential combinations that
we are using. We have 2 usernames and 2,369 possible password combinations, so we
will have a total of 4,738 login attempts. Not the most subtle attack, but that’s an article
for another time.

We have a hit! Hydra was able to find a valid username and password combination.

Now we should be able to login to the system with John's credentials. Let's give it a
try.
Result:
Thus the launching the brute force attacks on the Linux Server using hydra has been
executed successfully.
EX NO:10
PERFORM REAL-TIME NETWORK TRAFFIC ANALYSIS AND
DATE: POCKET LOGGING USING SNORT

Aim:
To perform real-time network traffic analysis and pocket logging using snort.

Procedure:
Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. Snort
IPS uses a series of rules that help define malicious network activity and uses those rules to
find packets that match against them and generates alerts for users.
Snort can be deployed inline to stop these packets, as well. Snort has three primary uses:
As a packet sniffer like tcpdump, as a packet logger — which is useful for network traffic
debugging, or it can be used as a full-blown network intrusion prevention system. Snort
can be downloaded and configured for personal and business use alike.

Traffic Generator

The machine is offline, but there is a script (traffic-generator.sh) for you to generate
traffic to your snort interface. You will use this script to trigger traffic to the snort
interface. Once you run the script, it will ask you to choose the exercise type and then
automatically open another terminal to show you the output of the selected action.

Note that each traffic is designed for a specific exercise. Make sure you start the snort

instance and wait until to end of the script execution. Don’t stop the traffic flood unless

you choose the wrong exercise.

Run the “traffic generator.sh” file by executing it as sudo.Executingthetraffic generator

script

Once you choose an action, the menu disappears and opens a terminal instance to
show you the output of the action.
Result:
To perform real-time network traffic analysis and pocket logging using snort.